Fix NSEC3 ring to match clear entries

[talk/dnssec.git] / slides.tex

diff --git a/slides.tex b/slides.tex
index 1e73484caa1f2f20c9e67af0944c9725f884a534..cbf5bc81d719c237a11a996e46dd83f3a35f18c9 100644 (file)
--- a/slides.tex
+++ b/slides.tex
@@ -4,13 +4,34 @@
 \usepackage[utf8]{inputenc}
 \usepackage{listings}
 
+\usepackage{tikz}
+
+\usetikzlibrary{positioning,intersections,backgrounds,calc,shadings,shapes.arrows,shapes.symbols,shadows}
+\usepgflibrary{shapes.geometric}
+\usepgflibrary{shapes.misc}
+\usepgflibrary{shapes.symbols}
+\usepgflibrary{shapes}
+\usetikzlibrary{shapes,decorations,shadows}
+\usetikzlibrary{decorations.pathmorphing}
+\usetikzlibrary{decorations.shapes}
+\usetikzlibrary{decorations.text}
+\usetikzlibrary{fadings}
+\usetikzlibrary{patterns}
+\usetikzlibrary{calc}
+\tikzstyle{netdb}=[anchor=center,color=black,rectangle,draw,minimum
+size=.6em,minimum height=.2em]
+\tikzstyle{client}=[fill=i4gray,rectangle,draw]
+\tikzstyle{chain}=[rectangle,draw,minimum size=1em,minimum height=.5em]
+\tikzstyle{arrow}=[->,thick,draw,shorten <=2pt,shorten >=2pt,]
+\tikzstyle{tunnel}=[fill=gray,shape=ellipse,minimum size=4em,minimum height=1.1em]
+
 
 \usetheme{CambridgeUS}
 \usefonttheme{structuresmallcapsserif}
 \title{DNSSEC}
 \author{Christoph Egger}
-\institute[Debian]{The Debian Project}
-\date{}
+%\institute[Debian]{The Debian Project}
+\date{\today}
 
 \usebackgroundtemplate{\includegraphics[width=\paperwidth]{images/swirl-lightest}}
 \logo{\includegraphics[viewport=274 335 360 440,width=1cm]{images/openlogo-nd.pdf}}
@@ -30,7 +51,202 @@
 \setbeamercolor{palette sidebar quaternary}{fg=debianred}
 
 \setbeamercolor{block title}{fg=debianblue}
- \setbeamercolor{description item}{fg=debianblue}
+\setbeamercolor{description item}{fg=debianblue}
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+% http://www.texample.net/media/tikz/examples/TEX/network-topology.tex %
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\makeatletter
+\pgfkeys{/pgf/.cd,
+  parallelepiped offset x/.initial=2mm,
+  parallelepiped offset y/.initial=2mm
+}
+\pgfdeclareshape{parallelepiped}
+{
+  \inheritsavedanchors[from=rectangle] % this is nearly a rectangle
+  \inheritanchorborder[from=rectangle]
+  \inheritanchor[from=rectangle]{north}
+  \inheritanchor[from=rectangle]{north west}
+  \inheritanchor[from=rectangle]{north east}
+  \inheritanchor[from=rectangle]{center}
+  \inheritanchor[from=rectangle]{west}
+  \inheritanchor[from=rectangle]{east}
+  \inheritanchor[from=rectangle]{mid}
+  \inheritanchor[from=rectangle]{mid west}
+  \inheritanchor[from=rectangle]{mid east}
+  \inheritanchor[from=rectangle]{base}
+  \inheritanchor[from=rectangle]{base west}
+  \inheritanchor[from=rectangle]{base east}
+  \inheritanchor[from=rectangle]{south}
+  \inheritanchor[from=rectangle]{south west}
+  \inheritanchor[from=rectangle]{south east}
+  \backgroundpath{
+    % store lower right in xa/ya and upper right in xb/yb
+    \southwest \pgf@xa=\pgf@x \pgf@ya=\pgf@y
+    \northeast \pgf@xb=\pgf@x \pgf@yb=\pgf@y
+    \pgfmathsetlength\pgfutil@tempdima{\pgfkeysvalueof{/pgf/parallelepiped
+      offset x}}
+    \pgfmathsetlength\pgfutil@tempdimb{\pgfkeysvalueof{/pgf/parallelepiped
+      offset y}}
+    \def\ppd@offset{\pgfpoint{\pgfutil@tempdima}{\pgfutil@tempdimb}}
+    \pgfpathmoveto{\pgfqpoint{\pgf@xa}{\pgf@ya}}
+    \pgfpathlineto{\pgfqpoint{\pgf@xb}{\pgf@ya}}
+    \pgfpathlineto{\pgfqpoint{\pgf@xb}{\pgf@yb}}
+    \pgfpathlineto{\pgfqpoint{\pgf@xa}{\pgf@yb}}
+    \pgfpathclose
+    \pgfpathmoveto{\pgfqpoint{\pgf@xb}{\pgf@ya}}
+    \pgfpathlineto{\pgfpointadd{\pgfpoint{\pgf@xb}{\pgf@ya}}{\ppd@offset}}
+    \pgfpathlineto{\pgfpointadd{\pgfpoint{\pgf@xb}{\pgf@yb}}{\ppd@offset}}
+    \pgfpathlineto{\pgfpointadd{\pgfpoint{\pgf@xa}{\pgf@yb}}{\ppd@offset}}
+    \pgfpathlineto{\pgfqpoint{\pgf@xa}{\pgf@yb}}
+    \pgfpathmoveto{\pgfqpoint{\pgf@xb}{\pgf@yb}}
+    \pgfpathlineto{\pgfpointadd{\pgfpoint{\pgf@xb}{\pgf@yb}}{\ppd@offset}}
+  }
+}
+\makeatother
+
+\tikzset{l3 switch/.style={
+    parallelepiped,fill=switch, draw=white,
+    minimum width=0.75cm,
+    minimum height=0.75cm,
+    parallelepiped offset x=1.75mm,
+    parallelepiped offset y=1.25mm,
+    path picture={
+      \node[fill=white,
+        circle,
+        minimum size=6pt,
+        inner sep=0pt,
+        append after command={
+          \pgfextra{
+            \foreach \angle in {0,45,...,360}
+            \draw[-latex,fill=white] (\tikzlastnode.\angle)--++(\angle:2.25mm);
+          }
+        }
+      ]
+       at ([xshift=-0.75mm,yshift=-0.5mm]path picture bounding box.center){};
+    }
+  },
+  ports/.style={
+    line width=0.3pt,
+    top color=gray!20,
+    bottom color=gray!80
+  },
+  rack switch/.style={
+    parallelepiped,fill=white, draw,
+    minimum width=1.25cm,
+    minimum height=0.25cm,
+    parallelepiped offset x=2mm,
+    parallelepiped offset y=1.25mm,
+    xscale=-1,
+    path picture={
+      \draw[top color=gray!5,bottom color=gray!40]
+      (path picture bounding box.south west) rectangle
+      (path picture bounding box.north east);
+      \coordinate (A-west) at ([xshift=-0.2cm]path picture bounding box.west);
+      \coordinate (A-center) at ($(path picture bounding box.center)!0!(path
+        picture bounding box.south)$);
+      \foreach \x in {0.275,0.525,0.775}{
+        \draw[ports]([yshift=-0.05cm]$(A-west)!\x!(A-center)$)
+          rectangle +(0.1,0.05);
+        \draw[ports]([yshift=-0.125cm]$(A-west)!\x!(A-center)$)
+          rectangle +(0.1,0.05);
+       }
+      \coordinate (A-east) at (path picture bounding box.east);
+      \foreach \x in {0.085,0.21,0.335,0.455,0.635,0.755,0.875,1}{
+        \draw[ports]([yshift=-0.1125cm]$(A-east)!\x!(A-center)$)
+          rectangle +(0.05,0.1);
+      }
+    }
+  },
+  server/.style={
+    parallelepiped,
+    fill=white, draw,
+    minimum width=0.35cm,
+    minimum height=0.75cm,
+    parallelepiped offset x=3mm,
+    parallelepiped offset y=2mm,
+    xscale=-1,
+    path picture={
+      \draw[top color=gray!5,bottom color=gray!40]
+      (path picture bounding box.south west) rectangle
+      (path picture bounding box.north east);
+      \coordinate (A-center) at ($(path picture bounding box.center)!0!(path
+        picture bounding box.south)$);
+      \coordinate (A-west) at ([xshift=-0.575cm]path picture bounding box.west);
+      \draw[ports]([yshift=0.1cm]$(A-west)!0!(A-center)$)
+        rectangle +(0.2,0.065);
+      \draw[ports]([yshift=0.01cm]$(A-west)!0.085!(A-center)$)
+        rectangle +(0.15,0.05);
+      \fill[black]([yshift=-0.35cm]$(A-west)!-0.1!(A-center)$)
+        rectangle +(0.235,0.0175);
+      \fill[black]([yshift=-0.385cm]$(A-west)!-0.1!(A-center)$)
+        rectangle +(0.235,0.0175);
+      \fill[black]([yshift=-0.42cm]$(A-west)!-0.1!(A-center)$)
+        rectangle +(0.235,0.0175);
+    }
+  },
+}
+
+\usetikzlibrary{calc, shadings, shadows, shapes.arrows}
+
+% Styles for interfaces and edge labels
+\tikzset{%
+  interface/.style={draw, rectangle, rounded corners, font=\LARGE\sffamily},
+  ethernet/.style={interface, fill=yellow!50},% ethernet interface
+  serial/.style={interface, fill=green!70},% serial interface
+  speed/.style={sloped, anchor=south, font=\large\sffamily},% line speed at edge
+  route/.style={draw, shape=single arrow, single arrow head extend=4mm,
+    minimum height=1.7cm, minimum width=3mm, white, fill=switch!20,
+    drop shadow={opacity=.8, fill=switch}, font=\tiny}% inroute/outroute arrows
+}
+\newcommand*{\shift}{1.3cm}% For placing the arrows later
+
+% The router icon
+\newcommand*{\router}[1]{
+\begin{tikzpicture}
+  \coordinate (ll) at (-3,0.5);
+  \coordinate (lr) at (3,0.5);
+  \coordinate (ul) at (-3,2);
+  \coordinate (ur) at (3,2);
+  \shade [shading angle=90, left color=switch, right color=white] (ll)
+    arc (-180:-60:3cm and .75cm) -- +(0,1.5) arc (-60:-180:3cm and .75cm)
+    -- cycle;
+  \shade [shading angle=270, right color=switch, left color=white!50] (lr)
+    arc (0:-60:3cm and .75cm) -- +(0,1.5) arc (-60:0:3cm and .75cm) -- cycle;
+  \draw [thick] (ll) arc (-180:0:3cm and .75cm)
+    -- (ur) arc (0:-180:3cm and .75cm) -- cycle;
+  \draw [thick, shade, upper left=switch, lower left=switch,
+    upper right=switch, lower right=white] (ul)
+    arc (-180:180:3cm and .75cm);
+  \node at (0,0.5){\color{blue!60!black}\Huge #1};% The name of the router
+  % The four arrows, symbols for incoming and outgoing routes:
+  \begin{scope}[yshift=2cm, yscale=0.28, transform shape]
+    \node[route, rotate=45, xshift=\shift] {\strut};
+    \node[route, rotate=-45, xshift=-\shift] {\strut};
+    \node[route, rotate=-135, xshift=\shift] {\strut};
+    \node[route, rotate=135, xshift=-\shift] {\strut};
+  \end{scope}
+\end{tikzpicture}}
+
+\makeatletter
+\pgfdeclareradialshading[tikz@ball]{cloud}{\pgfpoint{-0.275cm}{0.4cm}}{%
+  color(0cm)=(tikz@ball!75!white);
+  color(0.1cm)=(tikz@ball!85!white);
+  color(0.2cm)=(tikz@ball!95!white);
+  color(0.7cm)=(tikz@ball!89!black);
+  color(1cm)=(tikz@ball!75!black)
+}
+\tikzoption{cloud color}{\pgfutil@colorlet{tikz@ball}{#1}%
+  \def\tikz@shading{cloud}\tikz@addmode{\tikz@mode@shadetrue}}
+\makeatother
+
+\tikzset{my cloud/.style={
+     cloud, draw, aspect=2,
+     cloud color={gray!5!white}
+  }
+}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 
 \begin{document}
 
@@ -38,4 +254,450 @@
   \titlepage
 }
 
+\section{Einführung}
+
+\begin{frame}
+  \begin{block}{Wikipedia}
+    The Domain Name System Security Extensions (DNSSEC) is a suite of
+    Internet Engineering Task Force (IETF) specifications for securing
+    certain kinds of information provided by the Domain Name System
+    (DNS) as used on Internet Protocol (IP) networks. It is a set of
+    extensions to DNS which provide to DNS clients (resolvers) origin
+    authentication of DNS data, authenticated denial of existence, and
+    data integrity, but not availability or confidentiality.
+  \end{block}
+\end{frame}
+
+\begin{frame}
+  \frametitle{DNS Anfrage}
+  \begin{figure}
+    \centering
+    \begin{tikzpicture}
+      \begin{scope}[yshift=-5em, xshift=-5em]
+        \node[scale=1.5, server,debianblue](Client){};
+        \node[scale=1.5, server, left of=Client, xshift=-.75em](Gateway){};
+        \node[scale=1.5, server, left of=Gateway, xshift=-2em](ISP){};
+
+        \draw[thick,darkgray!10!gray] (Client.west)--(Gateway.east);
+        \draw[thick,darkgray!10!gray] (Gateway.west)--(ISP);
+      \end{scope}
+
+      \begin{scope}[xshift=15em, yshift=5em]
+        \node[thick, draw=darkgray, dotted, minimum width=12em, minimum
+        height=9em, xshift=-3.5em, yshift=-.5em] (siccegge) {};
+        \node[scale=1.2, server,debianblue](Master){};
+        \node[scale=1.2, server, right of=Master, yshift= 1.5em, xshift=1em](Slave 1){};
+        \node[scale=1.2, server, right of=Master, yshift=-1.5em, xshift=1em](Slave 2){};
+
+        \draw[thick,darkgray!10!gray] (Master.east)--(Slave 1);
+        \draw[thick,darkgray!10!gray] (Master.east)--(Slave 2);
+      \end{scope}
+
+      \begin{scope}[yshift=5em]
+        \node[thick, draw=darkgray, dotted, minimum width=12em, minimum
+        height=9em, xshift=-3.5em, yshift=-.5em] (de) {};
+        \node[scale=1.2, server,debianblue](Sub Master){};
+        \node[scale=1.2, server, right of=Sub Master, yshift= 1.5em,
+        xshift=1em](Sub Slave 1){};
+        \node[scale=1.2, server, right of=Sub Master, yshift=-1.5em,
+        xshift=1em](Sub Slave 2){};
+
+        \draw[thick,darkgray!10!gray] (Sub Master.east)--(Sub Slave 1);
+        \draw[thick,darkgray!10!gray] (Sub Master.east)--(Sub Slave 2);
+      \end{scope}
+
+      \draw[thick,darkgray!10!gray,dotted] (ISP.north)--(Sub Slave 2.south);
+      \draw[thick,darkgray!10!gray,dotted] (ISP.north)--(Slave 2.south);
+
+      \node[darkgray,above=.7em of Client.north,font=\LARGE] {Client};
+      \node[darkgray,below=0 of Gateway.south,font=\LARGE] {Heimrouter};
+      \node[darkgray,below=0 of ISP.south,font=\LARGE] {ISP};
+
+      \node[darkgray,below=0 of Master.south,font=\LARGE] {Master};
+      \node[darkgray,below=0 of Slave 2.south,font=\LARGE] {Slaves};
+      \node[darkgray,below=0 of Sub Master.south,font=\LARGE] {Master};
+      \node[darkgray,below=0 of Sub Slave 2.south,font=\LARGE] {Slaves};
+      \node[darkgray, above=0 of de, font=\LARGE]{.de};
+      \node[darkgray, above=0 of siccegge, font=\LARGE]{.siccegge.de};
+    \end{tikzpicture}
+  \end{figure}
+\end{frame}
+
+\section{Signaturen}
+
+% \begin{frame}
+%   \frametitle{ZSK, KSK}
+%   \begin{itemize}
+%   \item \texttt[KSK] ``KeySigningKey'' -- wird in der übergeordneten
+%     Zone referenziert und signiert alle Schlüssel \emph{in} der Zone
+%     \pause
+%   \item \texttt[ZSK] ``ZoneSigningKey'' -- wird durch den \texttt{KSK}
+%     authorisiert und signiert weitere Einträge
+%     \pause\bigskip
+%   \item Normalerweise gibt es \emph{einen} KSK und \emph{zwei} ZSKs in
+%     einer Zone
+%   \end{itemize}
+% \end{frame}
+
+\begin{frame}
+  \begin{description}
+  \item[KSK] ``KeySigningKey'' -- wird in der übergeordneten
+    Zone referenziert und signiert alle Schlüssel \emph{in} der Zone
+  \item[ZSK] ``ZoneSigningKey'' -- wird durch den \texttt{KSK}
+    authorisiert und signiert weitere Einträge
+  \end{description}
+  \begin{figure}
+    \centering
+    \begin{tikzpicture}[scale=1.2]
+      \tikzstyle{every node}=[font=\small]
+      \node[minimum width=8em,minimum height=12em,draw=gray](dezone) at (0,0) {};
+      \node[below=2em of dezone.south] {de. Zone};
+      \node[minimum width=8em,minimum height=12em,draw=gray](rootzone) at (-9em,0) {};
+      \node[below=2em of rootzone.south] {. Zone};
+      \node[minimum width=8em,minimum height=12em,draw=gray](sicceggezone) at (9em,0) {};
+      \node[below=2em of sicceggezone.south] {siccegge.de. Zone};
+
+      \node[ellipse,draw=debianred](rootksk) at (-9em,3em) {KSK};
+      \node[ellipse,draw=debianblue](rootzsk) at (-9em,0em) {ZSK};
+      \node[ellipse,draw=black](rootds)  at (-9em,-3em) {DS};
+
+      \node[ellipse,draw=debianred](deksk)  at (0em,3em) {KSK};
+      \node[ellipse,draw=debianblue](dezsk)  at (0em,0em) {ZSK};
+      \node[ellipse,draw=black](deds)   at (0em,-3em) {DS};
+
+      \node[ellipse,draw=debianred](sicceggeksk)  at (9em,3em) {KSK};
+      \node[ellipse,draw=debianblue](sicceggezsk)  at (9em,0em) {ZSK};
+      \node[ellipse,draw=black](arecord) at (6.5em,-2em) {\tiny{A}};
+      \node[ellipse,draw=black](aaaarecord) at (8em,-3em) {\tiny{AAAA}};
+      \node[ellipse,draw=black](sshfprecord) at (10.5em,-4em) {\tiny{SSHFP}};
+
+      \draw[arrow,draw=black] (rootds.south) |- ++(0,-2em) -| ([xshift=1em]rootzone.east)
+        |- ([xshift=4.5em,yshift=1em]rootzone.north) -| (deksk.north);
+      \draw[arrow,draw=black] (deds.south) |- ++(0,-2em) -| ([xshift=1em]dezone.east)
+        |- ([xshift=4.5em,yshift=1em]dezone.north) -| (sicceggeksk.north);
+
+      \draw[arrow,draw=debianred] (rootksk.south) -- (rootzsk.north);
+      \draw[arrow,draw=debianred] (deksk.south) -- (dezsk.north);
+      \draw[arrow,draw=debianred] (sicceggeksk.south) -- (sicceggezsk.north);
+
+      \draw[arrow,draw=debianblue] (rootzsk) -- (rootds);
+      \draw[arrow,draw=debianblue] (dezsk) -- (deds);
+      \draw[arrow,draw=debianblue] (sicceggezsk) -- (arecord);
+      \draw[arrow,draw=debianblue] (sicceggezsk) -- (aaaarecord);
+      \draw[arrow,draw=debianblue] (sicceggezsk) -- (sshfprecord);
+    \end{tikzpicture}
+  \end{figure}
+\end{frame}
+
+\begin{frame}
+  \frametitle{RRSIG}
+  \begin{block}{siccegge.de}\resizebox{\textwidth}{!}{\texttt{
+        \begin{tabular}{llll}
+siccegge.de. & IN & A & 62.113.200.104\\
+siccegge.de. & IN & RRSIG & A 8 2 43200 20140908181927 20140809171927 60018 siccegge.de.\\
+ &
+ \multicolumn{3}{l}{zldkAFJKKV4/gkmZ8DZkV7AT6nIt4mLXjClJwSnGqvrlBWEzc9h3knLMa9iJeEh01ZEZcWi+JRD/vVVNqBg4P1}\\
+ & \multicolumn{3}{l}{vCGsiPDvzBvO+gq0wtxPPpouNZA9r9h9in4sB3Vw/6HpMcqp843mB+B5SGQZkALDsVCcoY4J0/rPWPXYGHQkA=}\\
+\end{tabular}}}
+  \end{block}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Schlüsseltausch}
+  \begin{block}{Idee}
+    Wechsle die Schlüssel regelmäßig. Damit lassen sich auch kleine,
+    effizientere Schlüssel verwenden (DNS verwendet UDP!). Auch in
+    Sachen ``Revocation'' nützlich
+  \end{block}
+  \bigskip\pause
+  Schlüssel wechseln in DNS ist nicht so einfach: \pause Stichpunkt
+  \texttt{TTL}
+  \bigskip\pause
+
+  2 Methoden:
+  \begin{itemize}
+  \item Neuen Schlüssel vor der Verwendung veröffentlichen
+  \item Vorübergehend die Daten mit beiden Schlüsseln signieren
+  \end{itemize}
+\end{frame}
+
+\section{NSEC und NSEC3}
+\begin{frame}
+  \frametitle{Negative antworten}
+
+  \begin{block}{Problem}
+    Mit den \texttt{RRSIG}s lassen sich bestehende Einträge im DNS
+    bestätigen. Es ist aber immer noch möglich, Einträge
+    ``verschwinden'' zu lassen. Was also noch fehlt ist die
+    Möglichkeit, die nicht-Existenz von Einträgen zu signieren.
+  \end{block}
+\end{frame}
+
+%TODO Why
+\begin{frame}<1>[label=nsec]
+  \frametitle{NSEC (Next SECure)}
+  \begin{itemize}
+  \item<1-> Bilde einen Kreis, der alle vorhandenen Einträge umfasst
+  \item<2-> Speichere signierte Feststellung, dass zwischen zwei Namen
+    kein dritter liegt
+  \item<2-> Bei negativer Antwort (\texttt{NXDOMAIN}) sende auch den
+    signierten \texttt{NSEC} Eintrag in dessen Interval die Antwort
+    liegen würde\pause\bigskip
+  \item<3> ``Zonewalking'' auflistung aller Einträge in einer Zone
+  \end{itemize}
+\end{frame}
+
+\begin{frame}<-3>[label=ring]
+  \begin{figure}
+    \centering
+    \begin{tikzpicture}[scale=0.9]
+      \onslide<3>{
+        \fill[debianred!10] (165:17mm) arc (165:215:17mm) -- (215:27mm)
+        arc (215:165:27mm) -- cycle;
+
+        \path[decoration = {text along path, text = {NSEC},
+          text align = {align = center}, raise = -0.5ex}, decorate]
+        (201:29mm) arc (201:155:29mm);
+      }
+
+      \onslide<6>{
+        \fill[debianred!10] (110:17mm) arc (110:165:17mm) -- (165:27mm)
+        arc (165:110:27mm) -- cycle;
+
+        \path[decoration = {text along path, text = {NSEC3},
+          text align = {align = center}, raise = -0.5ex}, decorate]
+        (180:14mm) arc (180:123:14mm);
+      }
+
+      \foreach \sector/\sectorlabel/\hash/\hashlabel in {%
+        0/backup/evj1\dots/www,
+        1/git/imua\dots/git,
+        2/keyserver/mk9e\dots/wot,
+        3/wot/nq8c\dots/backup,
+        4/www/uv8c\dots/annex,
+        5/annex/5kau\dots/keyserver}%
+      {
+        \node[font=\bfseries](node\sector) at ({60 * (-\sector - .5)}: 22mm) {\alt<-4>{\sectorlabel}{\hash}};
+
+        \draw[->, >=latex] ({60 * (-\sector - .5)-10}:22mm)
+        arc ({60 * (-\sector - .5) - 10}:{60 * (-\sector-1)- 10}:22mm);
+
+        \onslide<5->{
+          \node[font=\bfseries, circle, fill=debianblue!50, text=darkgray](hash\sector) at ({60 * (-\sector -
+            .5) + 15}:38mm) {H};
+
+          \node[font=\bfseries](orig\sector) at ({60 * (-\sector -
+            .5) + 30}: 50mm) {\hashlabel};
+          \draw[arrow, draw=darkgray] (hash\sector) -- (node\sector);)
+          \draw[arrow, draw=darkgray] (orig\sector) -- (hash\sector);)
+        }
+      }
+      \onslide<2->{
+        \node[font=\bfseries, left=8em of node3](null) {null};
+      }
+      \onslide<2-3>{
+        \draw[arrow] (null.east) -- ([yshift=3em]node2.west);
+      }
+      \onslide<5->{
+        \node[font=\bfseries, circle, fill=debianblue!50, above=3em
+        of null.north, xshift=2em, text=darkgray] (H) {H};
+        \draw[arrow, draw=darkgray] (null) -- (H);
+        \draw[arrow] (H) to node[above,font=\bfseries]{qfna\dots} ([yshift=1.5em]node3.north);
+      }
+    \end{tikzpicture}
+  \end{figure}
+\end{frame}
+
+\againframe<2->{nsec}
+
+\begin{frame}<1>[label=nsec3]
+  \frametitle{NSEC3}
+
+  \begin{itemize}
+  \item Statt Einträge in einem Ring anzuordnen, bilde zuerst eine
+    kryptographische Streusumme \pause
+  \item Verwende Salz und mehrere Runden der Streufunktion für
+    maximalen Effekt.
+  \end{itemize}\bigskip
+  \begin{block}{git.siccegge.de}\resizebox{\textwidth}{!}{\texttt{
+        \begin{tabular}{llll}
+siccegge.de. & IN & NSEC3PARAM & 1 0 5 6D1DAF17E2A6A252
+\end{tabular}}}
+  \end{block}
+\end{frame}
+
+\againframe<4->{ring}
+
+\againframe<2->{nsec3}
+
+\begin{frame}
+  \frametitle{Überprüfung negativer Antworten}
+  \begin{block}{Ziel}
+    Es ist trivial, in der \texttt{de}-Zone zu zeigen, dass dort
+    \texttt{www.siccegge.de} nicht existiert -- obwohl der name
+    durchaus vorhanden ist (allerdings nicht in der \texttt{de}-Zone
+    sondern in der \texttt{siccegge.de}-Zone). Wir müssen also auch
+    zeigen, dass wir in der ``richtigen'' Zone operieren.
+  \end{block}\pause
+  \begin{block}{``Closest Encloser''}
+    Daher 3 \texttt{NSEC3}-Einträge:
+    \begin{itemize}
+    \item Für die kürzeste, nicht mehr existente Oberdomäne zur
+      Anfrage, den \texttt{NSEC3}-Eintrag, der das Intervall überspannt.
+    \item Den um eine Komponente gekürzten \texttt{NSEC3}-Eintrag, der
+      entweder \emph{keinen} \texttt{NS}-Eintrag oder auch das Flag
+      für \texttt{SOA} enthält.\pause
+    \item Den \texttt{NSEC3}-Eintrag, der das Fehlen eines
+      Wildcard-Eintrags an dieser Stelle nachweist.
+    \end{itemize}
+  \end{block}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Negative Antwort}
+  \begin{block}{siccegge.de hat SOA}\resizebox{\textwidth}{!}{\texttt{
+     \begin{tabular}{rl}
+ 4ma0fb5t2s6kjtgc6r3qi4o49bn7pc4i.siccegge.de. & 3573 IN NSEC3 1 0 5 6D1DAF17E2A6A252 \\
+ 4TRVQLKF545FSK90ED6NCJ7DGMOJB6I8 & A NS SOA MX AAAA RRSIG DNSKEY NSEC3PARAM \\
+     \end{tabular}}}
+  \end{block}
+  \texttt{null.siccegge.de} hat den Hash-Wert \texttt{qfna56rlmnlbp3e85m4d6ckonnmpfg1i}
+  \begin{block}{null.siccegge.de existiert nicht}\resizebox{\textwidth}{!}{\texttt{
+     \begin{tabular}{rl}
+ qd2uevk27c2tdrh6535e0mkiratu1t5h.siccegge.de. & 3600 IN NSEC3 1 0 5 6D1DAF17E2A6A252 \\
+ QLLMC1NCRMN4AU8QCFQ24VAH7JFM6LQ6 & \\
+     \end{tabular}}}
+  \end{block}
+  \texttt{*.siccegge.de} hat den Hash-Wert \texttt{68m2atv9712l3e67oua61u5hp0v0273a.}
+  \begin{block}{*.siccegge.de existiert nicht }\resizebox{\textwidth}{!}{\texttt{
+     \begin{tabular}{rl}
+ 63r09adu0p1vdmkif5eb4dr6m2a3l5cp.siccegge.de. & 3600 IN NSEC3 1 0 5 6D1DAF17E2A6A252 \\
+ 6BJ555D3Q50SL34D50L1PGU887R73DC9 & RRSIG TLSA \\
+     \end{tabular}}}
+  \end{block}
+\end{frame}
+
+\section{Zusatznutzen}
+\begin{frame}{DANE}
+  Nachdem unser DNS jetzt kryptographisch abgesichert ist (auch nicht
+  schlechter als das CA System) kann man dort jetzt sicher weiteres
+  Schlüsselmaterial ausliefern:
+  \begin{itemize}
+  \item TLSA für alles was SSL/TLS macht
+  \item SSHFP für SSH Fingerprints
+  \item PGP-Schlüssel-Enträge
+  \item \dots
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{TLSA}
+  \begin{block}{TLSA}\resizebox{\textwidth}{!}{\texttt{
+        \begin{tabular}{llll}
+\_25.\_tcp.oteiza.siccegge.de. & IN & TLSA & 3 1 1
+101B5B5CCDC5568CEC385552611FD0355BF15DB293E96F46E29DE4A0C4B2BC3F \\
+\_443.\_tcp.siccegge.de. & IN & TLSA & 3 1 1
+62BEBD9F2E77CF26A4006A50F69FC3891BF7BEDDAEF8AC96E57C1D9BA2AB1F73 \\
+\_5222.\_tcp.xmpp.egger.im & IN & TLSA & 3 1 1 9c93fab0d88c911592dedfa7f9385aeee228b0c6d526813ad1182c983677736b
+\end{tabular}}}
+  \end{block}
+  \bigskip\pause
+  Achtung! Beim Schlüsseltausch gibt's wieder Spass.
+  \bigskip\pause
+  \begin{itemize}
+  \item 3: Bezeichnet ein Service Zertifikat
+  \item 1: Angegeben wird der öffentlich Schlüssel, nicht das
+    Zertifikat
+  \item 1: Angegeben wird eine \texttt{SHA256}-Summe
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{SSHFP}
+  \begin{block}{git.siccegge.de}\resizebox{\textwidth}{!}{\texttt{
+        \begin{tabular}{lll}
+git.siccegge.de & IN & SSHFP 1 1 0E812EE0A3704230F3C415076E1BAA149A5DC75B\\
+git.siccegge.de & IN & SSHFP 1 2 1CBACAF365040DC1DF841FD07D9186BC343D4AF7DCF689CC8CF4A2F75D7F4B57\\
+git.siccegge.de & IN & SSHFP 3 1 A2D0495E912DA039EEA51A1593F7F74FB919AAD4\\
+git.siccegge.de & IN & SSHFP 3 2 9BF73E3654AA65B847054247F85EFB5C88AB7460840B9C922E647B00696661CF\\
+git.siccegge.de & IN & SSHFP 4 1 2A3EF64AC589193ACFAD783B62E3C193A67F3F46\\
+git.siccegge.de & IN & SSHFP 4 2 880686195D6C1AAA6791F3A3EF4E7B565DCF9F560F2F1BBB93C56EFD5996F335\\
+\end{tabular}}}
+  \end{block}
+  \bigskip\pause
+  \begin{itemize}
+  \item Erste Zahl: Hostkeytyp
+  \item Zweite Zahl: Prüfsummentyp
+  \end{itemize}
+\end{frame}
+
+\section{Software}
+\begin{frame}{Überblick}
+  \begin{block}{Nameserver}
+    Müssen zusätzliche Einträge ausliefern (\texttt{RRSIG},
+    \texttt{NSEC3}). Für \texttt{NSEC3} müssen die richtigen Einträge
+    gefunden wernden
+  \end{block}\pause
+  \begin{block}{Signaturwerkzeuge}
+    \begin{itemize}
+    \item Müssen \texttt{RRSIG}s für die vorhandenen Einträge
+      erstellen und gelegentlich erneuern
+    \item Müssen die \texttt{NSEC3}- und \texttt{NSEC3PARAM}-Einträge
+      erstellen und signieren
+    \item Sollten Möglichkeit zum Schlüsseltausch beiten
+    \end{itemize}
+  \end{block}\pause
+  \begin{block}{Registrar}
+    Irgendwie müssen die Schlüssel in die darüberliegende Zone
+    kommen. Wenige Registrare haben das schon im Interface vorgesehen,
+    etliche lassen sich aber per Mail an den Support überreden
+  \end{block}
+\end{frame}
+
+\begin{frame}{Nameserver}
+  \begin{block}{Software}
+    Alle nennenswerten Nameserver (nsd, bind, powerdns, knot, \dots) können heutzutage DNSSEC ausliefern.
+  \end{block}\pause
+  \begin{block}{Sekundärserver}
+    Kaum ein kostenfreier Sekundärserveranbieter unterstützt DNSSEC --
+    das liegt unter anderem an den deutlich größeren Antworten und dem
+    Rechenbedarf für \texttt{NSEC3}, die signifikant Resourcen
+    verbrauchen.
+
+    $\Rightarrow$ Selber hosten (mit Freunden), beim Registrar schauen
+    oder bezahlen.
+  \end{block}
+\end{frame}
+
+\begin{frame}{Signaturwerkzeuge}
+  Im Grunde gibt es zwei Typen von Signaturwerkzeugen
+  \begin{block}{Im primären Nameserver}
+    BIND, Knot, PowerDNS
+    \begin{description}
+    \item[Vorteile] Keine weiteren Werkzeuge, dynamische Updatesmöglich
+    \item[Nachteile] Schlüsselmaterial im Netzwerkserver, bestehende
+      Implementierungen unflexibel in Sachen Schlüsselrotation
+    \end{description}
+  \end{block}\pause
+  \begin{block}{Separates Signaturwerkzeug}
+    OpenDNSSEC, dnssec-tools, cron
+    \begin{description}
+    \item[Vorteile] Flexibel, Signaturlösung Nameserver-agnostisch
+    \item[Nachteile] Softwarequalität \dots, weiteres Element, das
+      kaputt gehen kann
+    \end{description}
+  \end{block}
+\end{frame}
+
+\begin{frame}{Fragen?}
+  Download: https://static.siccegge.de/talks/dnssec-augsburg-2015-03-28.pdf\\
+  https://git.siccegge.de/?p=talk/dnssec.git
+
+    \vspace*{\fill}
+    \begin{center}
+        \includegraphics[width=7cm]{images/42.pdf}
+    \end{center}
+    \vspace*{\fill}
+\end{frame}
+
 \end{document}